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ABSTRACT:  With  limited  maintenance  dedicated  to  aging  dam  spillway  gate  struc¬ 
tures,  there  is  an  increased  risk  of  gate  inoperability  and  corresponding  dam  failure  due 
to  malfunction  or  inadequate  design.  This  report  summarizes  research  on  methodologies 
to  assist  in  quantifying  risks  related  to  dam  gates  and  associated  operating  equipment, 
and  how  those  risks  relate  to  overall  spillway  failure  risk.  The  objective  of  the  research 
was  to  demonstrate  how  fault  tree  analytical  methods  may  be  applied  to  improve  the 
quality  of  dam  gate  risk  analysis. 

Two  different  methods  of  prescreening  analysis  are  presented  and  evaluated.  The  first 
uses  probabilities  for  more  events,  defined  more  precisely  than  in  standard  practice,  and 
adds  criticality  ranking;  the  second  uses  more  traditional  estimation  of  failure  probabili¬ 
ties  in  conjunction  with  subsystem  importance-ranking  factors  to  estimate  overall  gate 
system  failure  probability.  Both  methods  can  be  linked  qualitatively  with  the  Lafitte 
risk  method  through  event  costs  and  consequences  to  determine  the  overall  risk  for  a 
dam  spillway  system. 

Enhancement  of  the  two  demonstrated  methods  would  require  a  direct  application  of  the 
methods  to  an  existing  dam  gate  system.  Also,  additional  research  would  be  necessary  to 
better  determine  the  risk  consequence  factor,  a,  used  in  the  Lafitte  equation  for  calculat¬ 
ing  overall  risk. 


DISCLAIMER:  The  contents  of  this  report  are  not  to  be  used  for  advertising,  publication,  or  promotional 
purposes.  Citation  of  trade  names  does  not  constitute  an  official  endorsement  or  approval  of  the  use  of  such 
commercial  products.  All  product  names  and  trademarks  cited  are  the  property  of  their  respective  owners.  The 
findings  of  this  report  are  not  to  be  construed  as  an  official  Department  of  the  Army  position  unless  so  designated 
by  other  authorized  documents. 

DESTROY  THIS  REPORT  WHEN  NO  LONGER  NEEDED.  DO  NOT  RETURN  IT  TO  THE  ORIGINATOR. 
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Conversion  Factors 


Non-SI  units  of  measure  used  in  this  report  can  be  converted  to  SI  units  as  fol¬ 
lows: 
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By 
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4,046.873 

square  meters 

cubic  feet 
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cubic  meters 
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horsepower  (550  ft-lb  force  per  second) 
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watts 

inches 

0.0254 
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square  feet 
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square  miles 
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tons  (force) 
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kilograms 
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1  Introduction 

1.1  Background 

Dams  are  an  important  part  of  the  nation’s  public  infrastructure,  providing  mul¬ 
tiple  benefits  such  as  water  supply,  flood  control,  navigation,  hydropower,  rec¬ 
reation,  and  irrigation.  However,  with  limited  maintenance  dedicated  to  aging 
gate  structures  at  dam  spillways,  there  is  an  increasing  risk  of  potential  dam 
failures  due  to  gate  inoperability,  malfunction,  or  under-design.  This  report  pre¬ 
sents  research  directed  toward  the  development  of  methodologies  to  assist  in 
quantifying  the  risks  for  dam  gates  and  associated  operating  equipment,  and 
how  these  risks  relate  to  overall  spillway  risk.  The  study  represents  an  exten¬ 
sion  of  previous  research  efforts  documented  in  Putcha  and  Patev  (2000). 

The  focus  of  this  study  was  the  development  of  analysis  tools  for  risk  assessment 
related  to  dam  gates  and  associated  operating  equipment.  Specifically,  the  ap¬ 
plicability  of  detailed  fault  tree  analysis  to  a  dam  spillway  system  is  examined, 
with  a  concentration  on  the  failure  of  the  dam  gates  and  operational  subsystems. 
Two  different  methods  of  prescreening  analysis  are  presented  and  evaluated. 
The  first  method  uses  probabilities  for  more  events  defined  more  precisely  than 
in  standard  practice,  and  adds  criticality  analysis  to  rank  each  of  the  potential 
failure  modes  in  a  failure  modes  and  effects  analysis.  The  second  method  uses 
more  traditional  estimation  of  failure  probabilities  in  conjunction  with  impor¬ 
tance-ranking  factors  for  the  gate  subsystems  to  estimate  the  probability  of  fail¬ 
ure  for  the  overall  gate  system.  Detailed  examples  for  gate  subsystems  are  pre¬ 
sented  to  show  how  the  methodologies  can  be  applied  to  dam  gates.  These 
methods  can  then  be  linked  qualitatively  with  the  Lafitte  risk  method  through 
event  costs  and  consequences  to  determine  the  associated  overall  risks  for  a  dam 
spillway  system. 

1.2  Objective 

The  objective  of  this  work  was  to  demonstrate  how  fault  tree  analytical  methods 
may  be  applied  to  improve  the  quality  of  dam  gate  risk  analysis. 
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1.3  Approach 

The  fault  trees  developed  in  this  work  effort  were  based  on  numerous  consulta¬ 
tions  with  design  engineers  at  various  Corps  of  Engineers  dam  facilities 
throughout  the  United  States.  Additionally,  site  visits  were  undertaken  to  Whit¬ 
tier  Narrows  Dam  in  the  Los  Angeles,  CA,  area;  and  the  Gavins  Point  Dam  in 
Yankton,  SD.  During  the  site  visits,  in-depth  discussions  were  held  with  engi¬ 
neers  familiar  with  those  facilities.  These  engineers  who  participated  in  the  de¬ 
velopment  of  the  fault  trees  were  multidisciplinary,  and  included  operations  and 
dam  safety  personnel.  Results  from  a  literature  review  of  the  Lafitte  risk- 
consequence  factor  (Lafitte  1993,  1996)  are  also  discussed. 


1.4  Scope 

The  scope  of  the  research  reported  here  was  limited  to  the  risk  analysis  of  dam 
gates  and  associated  operating  equipment,  but  not  to  an  entire  dam  spillway  sys¬ 
tem.  In  order  for  any  dam  spillway  system  risk  analysis  method  to  be  effective, 
it  is  critical  to  have  a  valid  data  set  on  the  failure  rate  of  dam  gate  components, 
or  at  least  methods  for  the  timely  acquisition  of  such  data.  Without  better  data, 
the  methods  proposed  in  this  report,  and  any  other  risk-based  methods,  will  lack 
the  accuracy  necessary  to  provide  useful  quantitative  measures  of  risk.  System¬ 
atic  collection  of  data  on  the  performance  of  gate  components  and  all  other  criti- 
cal  components  of  the  civil  works  inventory  is  essential  to  the  success  of  an 
overall  risk  management  program.  Besides  basic  failure  rate  data  for  civil  works 
applications,  there  are  at  least  two  other  related  data  points  that  must  be  con¬ 
sidered:  maintenance  history  /  condition  and  failure  mode.  Most  failure  rate  da¬ 
tabases  include  little  or  no  consideration  of  component  maintenance  history  and 
condition  even  though  these  obviously  have  a  substantial  impact  on  the  equip¬ 
ment  failure  rate.  Also,  and  specifically  with  respect  to  this  report,  some  risk 
assessment  methods  presented  here  require  some  detailed  information  on  the 
modes  of  failure  for  each  component.  This  type  of  data  is  important  because,  for 
example,  the  impact  of  a  locked  brake  is  quite  different  from  the  consequences  of 
a  brake  that  will  not  hold. 


Such  data  are  currently  collected  only  for  hydropower  equipment.  Rock  Island  District  has  had  some  limited  suc¬ 
cess  collecting  data  on  electrical  and  mechanical  gate  equipment,  which  is  available  for  inspection  at 

http://www.mvr.usace.armv.mil/failuredata/default.asp. 
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1 .5  Mode  of  Technology  Transfer 

The  findings  of  this  study  demonstrate  how  fault  tree  methodologies  could  be  in¬ 
corporated  in  an  Engineer  Technical  Letter  (ETL)  on  dam  gate  risk  analysis. 
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2  Fault  Trees  for  Dam  Gates 


Fault  trees  are  one  of  the  most  important  and  simplest  methods  that  can  be  used 
to  help  in  the  risk  assessment  of  dam  gates.  These  gate  systems  are  often  quite 
complex  and  detailed,  with  various  types  of  structural,  mechanical,  and  electrical 
equipment.  Fault  trees  can  provide  a  consistent  framework  on  which  an  engi¬ 
neer  can  base  a  risk  analysis. 

Fault  trees  use  different  symbols  to  define  both  the  inherent  redundancy  and  op¬ 
eration  of  the  gates  and  its  subsystems.  The  typical  symbols  are  shown  in 
Figure  1.  Triangles  represent  connection  branches  that  fold  in  the  events  up  to 
the  top  layer.  Squares  or  rectangles  represent  a  failure  event  or  component.  The 
‘inverted  horseshoe’  shape  is  an  OR  gate,  which  requires  either  sub-event  or  con¬ 
dition  for  the  system  to  fail.  AND  gates  are  represented  by  a  “railroad  tunnel” 
shape  and  require  all  sub-events  to  occur.  Circles  indicate  a  basic  or  bottom 
level  branch,  which  may  be  defined  by  many  failure  modes. 


0 

AND  event 

A 

OR  event 

o 

Basic  component  failure  event 

1 

System  or  component  event 

A 

Transfer  symbol 

O 

Undeveloped  event 

Figure  1.  Typical  symbols  used  in  fault  tree  analysis. 
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A  simplified  fault  tree  for  dam  gates  and  associated  operating  equipment  is 
shown  in  Figure  2.  The  top  event  relates  as  to  whether  the  gate  fails  in  the  open 
or  closed  position.  The  triangle  at  the  top  of  Figure  2  relates  to  how  the  gate  sys¬ 
tem  that  contains  structural,  electrical,  and  mechanical  equipment  contributes 
to  the  overall  spillway  risk.  The  overall  spillway  risk  is  not  included  in  this  fault 
tree  but  is  discussed  to  some  extent  in  Chapter  6.  The  goal  of  these  fault  trees  is 
to  define  a  highly  detailed  (i.e.,  “bushy”)  representation  of  the  fault  environment 
so  that  the  user  can  rapidly  eliminate  or  accept  branches  on  the  basis  of  pre¬ 
screening  and  background  knowledge  of  the  specific  dam  project. 


Figure  2.  Fault  tree  for  gate  failures. 


Examples  of  fault  trees  down-branching  from  the  top  events  are  shown  in  Figure 
3,  Figure  4,  and  Figure  5.  These  represent  a  basic  breakdown  of  three  critical 
branches:  structural,  mechanical,  and  electrical  subsystems.  The  subsystems 
are  connected  to  an  up-event  by  the  triangle.  Subsequent  to  each  of  these  bottom 
level  events  are  the  cause  and  consequence  of  each  failure  mode.  For  purposes  of 
brevity,  these  are  not  directly  defined  in  the  boxes  within  the  fault  trees.  Faults 
(i.e.,  causes)  for  the  events  identified  for  the  subsystem  represented  in  Figure  3  — 
Figure  5  are  presented  in  more  detail  in  Table  1. 
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Figure  3.  Fault  tree  for  gate  structural  breakdown. 
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Figure  4.  Fault  tree  for  gate  mechanical  breakdown 
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Figure  5.  Fault  tree  for  gate  electrical  breakdown. 
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Figure  6.  Fault  tree  for  gate  operational  breakdown. 
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Table  1 .  Example  causes  of  failure  events  for  fault  trees  shown  in  Figures  2-6. 


Failure  Event 

Cause 

1.  Concrete  Deterioration 

•  Corrosion  of  R-Bar 

•  Cracks  from  overload 

•  Salt  (chloride)  or 

•  Sulfate  reaction 

2.  Inadequate  Spillway 

•  Changes  in  PMF 

Capacity 

•  Changes  in  run-off  as  a  result  of  increased  development  around  lakes 
and  in  drainage  basin 

•  Political/public  opposition  to  raising  dam  height  or  modifying  spillway 
gates 

•  Lack  of  funds  to  make  necessary  changes 

•  Poor  maintenance  of  equipment 

•  Silt/debris  build-up  on  front  of  gates  and  on  the  bottom  of  the  pool 

•  Gate  entrance  blocked  from  ice  dams  or  debris  material  during 
discharge  of  flood  event 

•  Failure  of  upstream  dam 

3.  Broken  Linkages 

•  Failure  of  gear  box 

•  Failure  of  cables/chains 

•  Failure  of  chain/cable  attachment  to  gate 

•  Failure  of  driveline  couplings  (come  apart) 

4.  Foundation  Instability 

•  Terrorism 

•  Overload  from  overtopping 

5.  Logs 

•  Logs  that  hang  up  on  top  of  gates  and  prevent  opening 

•  Logs  that  could  prevent  gate  closure 

•  Logs  that  could  hang  up  on  gates  and  cause  hydraulic  unbalance, 
vibration  and  failure  of  gate 

6.  Ice 

•  Ice  that  causes  gates  to  be  frozen  closed 

•  Ice  from  leakage  and  wave  splash  over  that  builds  up  on  gate  and 
prevents  opening  as  a  result  of  excessive  hoist  load. 

•  Ice  that  freezes  gates  in  the  open  position 

•  Ice  build-up  on  walkways,  gate  operating  equipment  that  prevents 
access  to  and  operation  of  controls 

7.  Failure  Of  Trunnion  Arm 

•  Debris  falling  on  arm 

•  Failure  due  to  corrosion 

•  Icing 

•  High  trunnion  friction 

•  Overtopping 

8.  Failure  of  Gate  Leaf/Skin 

•  Corrosion 

•  Physical  damage  from  debris 

•  Brittle  fracture 

9.  Failure  of  Metal  Anchor 

•  Corrosion 

•  Fatigue 

•  Torsional  loading 

•  Overloading 

10.  Failure  of  Concrete 

Piers 

•  Concrete  deterioration 

ERDC  TR-05-3 
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Failure  Event 

Cause 

11 .  Failure  of  Steel  Support 

•  Corrosion 

•  Overloading 

•  Fatigue 

•  Fasteners 

12.  Failure  of  Concrete 
Support 

•  Concrete  Deterioration 

13.  Drive  Shaft  Coupling 

•  Decoupling 

•  Keyway  failure  (key  and  keyway) 

•  Torsional  failure  of  shaft 

14.  Gear  Motor 

•  Failure  of  gears 

•  Shaft  failure 

•  Bearing  failure 

15.  Gear  Reducers 

•  Bearing  failure 

•  Gear  failure  (due  to  lack  of  lubrication,  fatigue  failure) 

•  Shaft  failure 

•  Housing  failure 

•  Sprocket/failure 

16.  Chain  Linkage  Failure 

•  Loss  of  snap  rings 

•  Corrosion 

17.  Gate  Connection 

•  Connection  itself 

(Bolted  Plate) 

•  Corrosion 

18.  Cable  End  Socket 

•  Corrosion 

19.  Hoisting  Brake 

•  Keyway  failure 

•  Shoe  failure 

•  Solenoid  failure 

•  Torsional  failure  of  spring 

21.  Transmission  Lines 

•  Ice 

•  Lightning 

•  Tornadoes 

22.  Utility  Substation 

•  Short  circuit 

Equipment/  Transformers 

•  Lightning 

23.  Control  Circuit  Failure 

•  Relays 

•  Control  buttons 

24.  Motor  Failure 

•  Insulation  failure 

•  Bearing  failure 

•  Windings 

25.  Inadequate  Gate  Seals 

•  Weathering  failure 

Side  Seals 

•  Abrasion  due  to  debris 

Bottom  Seals 

•  Abrasion  due  to  debris 

Differential  Monolith/ 

•  Foundation  settlement/rebound 

Settlement 

•  Earthquake 

•  Seepage  and  piping 

•  Excessive  friction 

27.  Trash  and  Debris 

•  Due  to  trees,  logs 
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Failure  Event 

Cause 

28.  Galvanic  Corrosion  and / 
or  Mineral  Deposits 

Cables/Chains 

•  Corrosion/mineral  deposits 

•  Seizing  of  chains 

Trunnion  Anchorage 

•  Corrosion 

•  Brittle  fracture 

Trunnion  Bearings/Pin 

•  Inadequate  lubrication 

Trunnion  Arms  and  Girders 

•  Paint  failure 

29.  Inadequate  Design 

•  All  load  conditions  not  assessed  (dead  weight,  trunnion  friction,  wave 
height  and  ride  up) 

30.  Operational  Procedure 

•  Human  error 

•  Inadequate  hydraulic  calculation  capabilities 

•  Inadequate  surveillance 

•  Motor  on  overload  and  operator  fails  to  recognize  it 

•  Annual  gate  operations  test 

31.  Excessive  Friction 

•  Bearing  failure 

•  Inadequate  lubrication 

•  Misalignment 

•  Differential  movement  (resulting  in  gate  binding) 

•  Alkali-aggregate  reaction  (vertical  lift  gates) 

32.  Vandalism 

•  Due  to  sabotage  of  mechanical  parts 

•  Due  to  sabotage  of  electrical  controls/motors 

•  Due  to  sabotage  of  structural  parts 

33.  Maintenance 

•  Lubrication  trunnion  bearing 

Procedures 

•  Gear  reducers 

•  Wire  ropes/sockets  inspections  for  damages  protection  for  gates 

•  Heaters  in  gearboxes  and  controls 

•  Gate-side  seal  heaters 

•  Gate-air  bubbler  system 

•  Trash  removal  from  in  front  of  gate 

•  Insulation  testing  (electrical) 

34.  Icing 

•  Gates  frozen  in  closed  position 

•  Gates  frozen  in  open  position 

35.  Lifting  Devices 

•  Access 

•  Icing/adverse  weather  conditions 

•  (See  electrical,  mechanical  and  structural  breakdown  for  details) 
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Failure  Event 

Cause 

36.  Access  Restrictions 

•  Flooding 

•  Washouts 

•  Freezing  rain 

•  Tornado 

•  Hurricane 

•  Freezing  mist  during  operation 

•  Earthquake 

37.  Loss  of  Data  Collection 

and  Communication 

•  Lack  of  monitoring  system 

•  Unchecked  monitoring  data 

•  Remote  unmanned  projects 

•  Loss  of  communication  links  between  data  collection  platforms 
(DCPs)  and  the  central  weather  management  centers 

•  Satellite  communication  links  down 
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3  Prospective  Methods  for  Prescreening 
Dam  Gate  Components 


The  ability  to  prescreen  components  can  save  significant  time  and  effort  risk  as¬ 
sessment  for  dam  gates.  Prescreening  helps  to  identify  redundancy  of  system 
components  and  to  rank  their  overall  importance  and  contribution  to  the  final 
risk  of  the  dam  gates.  Two  methods  can  be  used  to  assist  with  prescreening. 

The  first  method  focuses  on  the  application  of  a  criticality  index  using  failure 
modes  and  effects  analysis  (FMEA).  This  method  defines  the  risks  for  dam  gates 
based  on  the  probability  of  each  mode  of  gate  failure  and  a  criticality  index  that 
accounts  for  all  failure  modes  of  all  components  in  a  gate  system.  Looking  at  the 
effect  of  each  failure  mode  for  a  given  component  can  significantly  alter  the  as¬ 
sessment  of  risk.  The  second  method  applies  a  component’s  probability  of  failure 
to  the  functional  and  hardware  criticality  of  each  component.  This  functional 
and  hardware  criticality  accounts  for  redundancy  using  predefined  weighting 
functions  based  on  component  criticality. 

Both  of  these  methods  are  laid  out  using  the  fault  tree  analysis  methods  pre¬ 
sented  in  Chapter  2,  and  they  produce  results  that  are  different  in  significant 
ways. 


3.1  Criticality  Index  Method 
3.1.1  Explanation  of  Method 

This  method  uses  an  approach  that  computes  a  criticality  index  for  each  failure 
mode  of  a  component.  Criticality  can  be  defined  as  a  relative  measure  of  the  con¬ 
sequences  of  a  failure  mode  and  its  frequency  of  occurrence.  Criticality  indices 
are  not  considered  a  probability  per  se  but  are  a  realistic  measure  of  the  impor¬ 
tance  of  their  function  within  a  gate  system.  This  makes  the  criticality  index  ex¬ 
tremely  valuable  to  use  in  the  prescreening  of  dam  gate  components  and  ranking 
of  systems. 
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The  criticality  index  of  a  hardware  component  is  defined  by  Ebeling  (1997)  as 
follows: 


Q:  —  akpPk^pt 


(Equation  1) 


where 


Ck  =  the  criticality  index  for  failure  mode  k 

akp  =  the  fraction  of  the  component  p’s  failures  having  failure 

mode  k  (i.e.,  the  conditional  probability  of  failure  mode  k 
given  component  p  has  failed  and  they  must  sum  up  to 
unity) 

j3k  =  the  conditional  probability  that  failure  mode  k  will  result  in 
the  identified  failure  effect 

A  =  the  failure  rate  of  component  p 

t  =  duration  of  time  used  in  the  analysis 

To  determine  the  criticality  index  using  Equation  1,  the  parameters  X,  a,  and  |3 
must  be  determined  for  each  failure  mode  of  a  component.  It  should  be  noted 
that  Ck  determined  from  Equation  1  will  be  different  for  each  of  the  failure 

modes,  k,  for  a  component.  The  typical  procedure  used  for  the  criticality  index 
method  is  described  in  the  following  steps: 

1.  Obtain  the  failure  rate,  X,  of  the  hardware  component  from  the  field  data. 

This  value  will  be  common  for  all  the  associated  failure  modes  of  a  compo¬ 
nent. 

2.  Obtain  the  factor,  a,  which  is  the  probability  of  occurrence  for  each  failure 
mode  associated  with  the  hardware  component.  The  following  relation  must 
be  satisfied  for  all  failure  modes: 

Ea  =  1  (Equation  2) 

3.  Obtain  the  factor,  p,  which  is  the  probability  of  occurrence  of  the  failure  effect 
once  the  identified  failure  mode  has  occurred.  This  value  reflects  on  the 
weighting  in  the  final  criticality  index. 
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4.  Calculate  the  criticality  index,  Ck ,  for  a  specified  operation  period  or  dura¬ 
tion,  t,  of  a  system  component  using  Equation  1.  The  duration,  t,  will  be 
common  for  all  failure  modes. 

An  example  of  the  criticality  index  method  applied  to  an  electrical  system  break¬ 
down  is  presented  below. 

3. 1.2  Example  for  a  Gate  Electrical  Subsystem 

The  fault  tree  for  a  gate  electrical  breakdown  is  shown  in  Figure  7.  The  values 
of  the  relative  importance  of  each  component  for  each  AND  or  OR  event  gate  us¬ 
ing  a  weighting  factor  (Wi)  is  shown  in  Figure  7.  Because  criticality  indices  are 
not  probabilities,  typical  fault  tree  multiplication  cannot  be  invoked,  so  the 
weighting  factors  shown  in  Figure  7  are  an  estimate  to  relate  the  expected  con¬ 
tribution  of  the  component  to  the  overall  gate  system.  The  following  calculation 
shows  an  example  to  determine  the  criticality  index  for  a  turbine  generator.  The 
turbine  generator  1  is  defined  as  variable  Ctg-i  at  the  bottom  level  of  Figure  7. 


Figure  7.  Dam  gate  electrical  system  example. 
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The  failure  modes  for  the  turbine  generator  component  and  corresponding  criti¬ 
cality  indices  are  shown  in  Table  2.  The  value  for  the  failure  rate  is  taken  from 
supplied  industry  data  with  expected  values  for  X,  a,  and  t. 

Ctg-i  Bearing  Failure  =  akppkXt 


=  0.5  *  0.1  *  1.2  *  10-6*  1000 


=  60  *  10-6 


=>  Ctg-i  (total  of  all  failure  modes)  =  468*10'6 


Table  2.  Example  of  criticality  index  values  for  a  turbine  generator. 


Component 

Failure 

Mode 

Failure 

Rate 

Fraction 

Conditional 

Prob. 

Time 

Ck  Criticality 
Index 

(from  Eq.  1) 

A, 

a 

P 

t 

Turbine 

Generator 

Bearing 

Failure 

1.2  xIO'6 

0.5 

0.1 

1000 

hrs 

60x1  O'6 

Stator 

Failure 

1.2  xIO'6 

0.2 

0.2 

1000 

hrs 

48x1  O'6 

Governor 

Failure 

1.2  xIO'6 

0.3 

1.0 

1000 

hrs 

360*  1 0'6 

Total  =  468*1  O'6 

Similarly,  criticality  indices  can  be  calculated  for  the  remainder  of  the  compo¬ 
nents  shown  in  Figure  7  to  obtain  the  overall  criticality  index  of  the  failure  mode 
of  electrical  breakdown  ( Ceb ).  Details  of  this  calculation  for  the  electrical  system 
are  shown  in  more  detail  in  Chapter  4.  Using  the  steps  outlined  in  section  3.1 
and  multiplication  through  the  fault  tree,  the  Ceb  is  calculated  as  316*10'6.  This 
value  for  the  criticality  of  the  electrical  system  can  then  be  ranked  against  the 
other  criticality  indices  from  other  branches  of  the  fault  tree  shown  in  Figure  2. 
The  results  can  also  be  combined  for  each  subsystem  in  a  similar  manner  to  pro¬ 
vide  a  criticality  index  for  the  entire  gate  system. 


3.2  Failure/Criticality  Method 
3. 2. 1  Explanation  of  Method 

The  Mission  Criticality  method  uses  an  approach  that  computes  a  weighted 
probability  of  failure  for  the  gate  system  based  on  probabilities  of  failure  and 
criticality  of  the  lower  level  subcomponents.  Criticality  is  introduced  in  this 
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method  in  terms  of  a  loss  of  mission  (e.g.,  failure  of  gate  to  open/close)  related  to 
both  the  functional  and  hardware  requirements  of  a  component.  Failure  mode 
criticality  for  dam  gates  can  be  identified  at  a  functional  level,  or  a  hardware 
component  level,  or  a  combination  of  the  two.  One  method  defined  by  Boeing 
Systems  (1998)  classifies  failure  modes  according  to  the  three  levels  defined  be¬ 
low  in  Table  3. 

Hardware  criticality  is  designated  by  the  numbers  1,  2,  or  3,  as  shown  in  Table  3. 
A  hardware  criticality  of  1  indicates  loss  of  dam  gate  through  a  single  component 
failure.  A  hardware  criticality  of  2  indicates  a  loss  of  mission,  which  means  that 
nonstandard  methods  are  required  to  operate  the  gate  and  the  failure  of  any  re¬ 
dundant  item  would  render  the  gate  inoperable.  A  hardware  criticality  3  indi¬ 
cates  all  other  types  of  failure  that  do  not  cause  loss  of  mission  or  operation. 


Table  3.  Hardware  criticality  (Boeing  1998). 


Criticality 

Potential  Effect  of  Failure 

1 

Inoperable:  gate  will  not  open  or  gate  will  not  close. 

2 

Loss  of  redundant  items  requiring  nonstandard  methods  for  opening  or  closing  gates. 

3 

All  others. 

A  functional  criticality  is  designated  by  1,  1R,  2,  2R,  or  3  as  shown  in  Table  4.  A 
functional  criticality  of  1  indicates  that  loss  of  a  single  function  could  result  in 
loss  of  the  dam  gate.  A  functional  criticality  of  1R  indicates  redundant  hardware 
items  which,  if  all  failed  to  function,  could  cause  loss  of  dam  gate.  A  functional 
criticality  of  2  indicates  a  single  functional  failure  that  could  result  in  the  loss  of 
mission,  requiring  nonstandard  methods  for  gate  operation.  A  functional  criti¬ 
cality  of  2R  indicates  redundant  hardware  items  which,  if  all  failed,  could  cause 
loss  of  mission  gate.  A  function  criticality  3  indicates  all  other  types  of  func¬ 
tional  failure. 


Table  4.  Functional  criticality  (Boeing  1998). 


Criticality 

Potential  Effect  of  Failure 

1 

Single  failure  that  could  result  in  an  inoperable  dam  gate. 

1R 

Redundant  hardware  item(s),  all  of  which  if  failed,  could  result  in  an  inoperable 
dam  gate. 

2 

Loss  of  a  single  item  requiring  non-standard  methods  for  opening  or  closing  gate. 

2R 

Redundant  hardware  item(s),  all  of  which,  if  failed,  could  require  non-standard 
methods  for  opening  or  closing  gate. 

3 

All  others. 
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These  criticalities  may  be  combined  to  reflect  redundancy  in  the  system.  A  fail¬ 
ure  mode  may  also  be  classified  using  a  combined  functional  and  hardware  ap¬ 
proach,  as  shown  in  Table  5.  This  notation  can  also  include  redundancy  of  com¬ 
ponents  in  the  system,  if  there  is  any.  The  important  thing  to  note  is  that  a 
criticality  classification  of  a  combined  failure  mode  consists  of  three  characters  if 
there  is  redundancy  in  the  system  (1R3,  for  example).  The  first  character  is  a 
number  that  represents  the  functional  criticality.  The  second  character  is  an  R 
that  represents  redundancy  in  the  system.  The  third  character  is  a  number  rep¬ 
resenting  the  hardware  criticality. 

If  there  is  no  redundancy  in  the  system,  then  the  criticality  classification  of  the 
failure  mode  consists  of  two  characters  (2/2,  for  example).  The  first  number  re¬ 
presents  functional  criticality  and  the  second  number  represents  hardware  criti¬ 
cality.  In  either  case,  if  the  first  character  is  1,  it  implies  loss  of  gate  whereas  if 
the  first  character  is  2,  it  implies  loss  of  mission  with  potential  loss  of  gate  for 
the  present  project.  If  the  first  character  is  3,  it  implies  minimal  or  no  effect. 


Table  5.  Combined  criticality  of  the  failure  mode  (Boeing  1998). 


If  the  functional 
criticality  is: 

The  hardware 
criticality  is: 

The  combined 
criticality  is: 

Comments 

1 

1 

1/1 

The  hardware  criticality  is 
always  1. 

1R 

2 

1R2 

Hardware  criticality  is  2  if  a 
total  of  two  (2)  failures  could 
cause  loss  of  dam  gate. 

3 

1R3 

Hardware  criticality  is  3  if  a 
total  of  three  (3)  or  more 
failures  are  required  for 
potential  loss  of  dam  gate. 

2 

2 

2/2 

The  hardware  criticality  is  2  if 
single  failure  requires 
nonstandard  methods  for 
opening  or  closing  dam  gate. 

2R 

3 

2R3 

The  hardware  criticality  is  3  if 
two  failures  require 
nonstandard  methods  for 
opening  or  closing  dam  gate. 

3 

3 

3/3 

The  hardware  criticality  is 
always  3. 

If,  for  example,  a  failure  mode  were  classified  as  1R3  it  would  indicate  that  there 
is  redundancy  in  the  system  and  only  if  three  hardware  items  fail  would  there  be 
loss  of  dam  gate  operation.  Similarly,  if  a  failure  mode  were  classified  as  2R3, 
again  redundancy  would  be  available  in  the  system,  but  only  two  hardware  items 
need  fail  to  result  in  the  loss  of  dam  gate  operation.  Note  that  in  the  case  of  a 
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functional  criticality  of  2,  the  number  of  hardware  failures  needed  for  loss  of 
normal  gate  operation  is  one  less  than  the  number  indicated  in  the  criticality  of 
failure  mode  classification.  For  example,  if  a  failure  mode  is  classified  as  2/2,  it 
is  implied  that  a  single  hardware  component  failure  could  require  nonstandard 
methods  for  opening  or  closing  the  gate. 

Table  6  relates  the  criticality  classification  of  the  component  in  the  system  to  a 
contributing  weight  that  is  used  in  conjunction  with  the  defined  fault  tree. 
Weighting  is  used  to  prevent  minor  to  noncritical  items  from  influencing  a  poten¬ 
tially  dominating  probability  of  failure  to  the  top  event.  This  weighting  feature 
makes  this  method  a  very  powerful  tool  to  use  in  the  prescreening  of  dam  gate 
components  for  ranking  importance. 


Table  6.  Classification  of  failure  modes  (Boeing  1998). 


Criticality  of  Failure  Mode 

Classification  of  Failure  Mode 

Weight  (Wi) 

1/1 

CIL  (Critical  Items  List) 

0.99 

1R2 

CIL  (because  it  could  result  in 
loss  of  gate) 

0.9 

1R3 

CIL  or  non-CIL 

0.7 

IRn 

CIL  or  non-CIL 

0.7(n'2) 

(n>3) 

2/2 

CIL 

0.01 

2R3 

CIL  or  non-CIL 

0.001 

2Rn 

CIL  or  non-CIL 

0.001  (n'2) 

(n>3) 

3/3 

Non-CIL 

0.001 

The  following  procedures  describe  how  the  method  is  implemented: 

1.  Classify  the  criticality  of  all  failure  modes  for  the  components  associated  with 
a  top  event  (e.g.,  the  gate  failed  to  open/close  as  shown  in  Figure  1)  as  1/1, 
1R2,  etc... as  shown  in  Table  2  for  all  the  initiating  events  (e.g.,  mechanical 
breakdown,  electrical  breakdown,  etc.,  as  shown  in  Figure  2). 

2.  Assign  the  criticality  value  that  was  determined  for  each  component  in  Step  1 
with  the  associated  weight  factor  as  defined  in  Table  7. 

3.  The  probability  of  failure  of  each  component  and  failure  mode  needs  to  be  de¬ 
termined  either  through  available  data  or  reliability  calculations. 
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4.  Probability  of  failure  to  open/close  gates  can  be  calculated  from  a  fault  tree 
diagram  of  the  gate  subsystems  starting  from  the  bottom  event  and  working 
to  the  top  event  in  that  branch  shown  in  Figure  2.  The  same  process  is  then 
applied  to  the  system  shown  in  Figure  2  to  identify  the  probability  of  failure 
to  open/close  the  gate  system.  This  is  done  using  fault  tree  multiplication 
from  the  AND  or  “OR  gates,  as  indicated  in  the  fault  diagram  (Figures  2  -  5). 

5.  The  probability  of  failure  for  each  component  is  then  weighted  by  multiplying 
times  the  appropriate  factor  identified  in  Step  2. 

6.  The  probability  of  failure  of  the  top  event  (e.g.,  the  probability  that  the  gate 
fails  to  open/close  as  shown  in  Figures  2-5)  can  then  be  calculated  using 
fault  tree  multiplication  for  the  AND  (product  of  the  probabilities)  or  OR  (ad¬ 
dition  of  the  probabilities)  gates. 

An  example  of  this  probability  method  applied  to  the  same  electrical  system 
breakdown  defined  in  the  example  above  is  presented  below. 

A  Critical  Items  List  (CIL)  corresponds  to  hardware  items  and  failure  modes 
that  are  critical  and  need  immediate  attention.  For  example,  if  a  dam  gate  is 
hoisted  by  a  set  of  non-redundant  chains  or  wire  ropes,  as  most  are,  those  chains 
or  ropes  would  be  classified  as  a  CIL.  The  basic  principle  of  criticality  analysis  is 
to  automatically  classify  any  failure  as  a  CIL  if  there  is  no  redundancy  in  the 
system  (e.g.,  1/1,  2/2,  etc.).  In  addition,  if  there  are  less  than  three  redundant 
hardware  critical  components  and  if  the  failure  would  result  in  loss  of  life,  then 
the  failure  mode  (e.g.,  1R2)  is  also  classified  as  a  CIL. 

The  other  failure  modes  that  could  result  in  loss  of  life  or  loss  of  mission  are  clas¬ 
sified  as  CIL  or  non- CIL  depending  on  whether  the  system  passes  a  redundancy 
screen  for  critical  components).  As  stated  earlier,  note  that  when  a  failure  mode 
is  classified  as  1/1,  1R2,  2/2,  it  is  automatically  a  CIL  item.  On  the  other  hand,  if 
a  failure  mode  is  classified  as  1R3,  2R3,  or  higher,  then  the  failure  mode  could  be 
a  CIL  or  non-CIL  depending  on  how  critical  the  redundant  items  are  to  the  fail¬ 
ure  of  the  system.  This  needs  to  be  checked  for  all  the  redundant  hardware 
items.  If  a  hardware  item  passes  all  the  redundancy  screens,  i.e.,  no  loss  of  life 
or  operations  occurs,  then  the  failure  mode  is  non-CIL.  Otherwise,  the  failure 
mode  should  be  classified  as  CIL. 

3.2.2  Example  of  Probability  of  Failure  and  Mission  Criticality 
Calculations 

The  criticality  ranking  of  the  various  electrical  subsystem  component  failure 
modes  is  shown  in  Figure  8  and  Figure  9.  These  values  (e.g.,  2R4  for  a  motor 
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failure)  are  based  on  the  classifications  set  forth  in  Table  2  and  an  understand¬ 
ing  of  the  redundancy  of  the  electrical  system.  An  example  calculation  for  the 
turbine  generator  used  in  the  previous  section  is  demonstrated. 


Table  7.  Example  criticality  index  calculations  for  turbine  generator. 


Figure  8.  Example  of  ranking  based  on  functional  and  hardware  criticality. 
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Figure  9.  Classification  of  failure  modes  for  electrical  system  example. 


The  failure  modes  of  the  turbine  generator  shown  in  Table  2  are  bearing  failure, 
stator  failure,  and  governor  failure.  These  can  be  classified  as  2R4  as  defined  in 
Table  6.  Table  7  defines  the  weight,  Wtg-i  as  1  *  Kb6.  The  exponential  failure 
rate  X,  and  operating  time  T  from  MIL-STD-1629A  for  this  equipment  are 
1.2*  Kb6  and  1000  hours,  respectively. 


-At  -1.2*1(T6«1000 

— >  (7?)rG  j  —  6  —  e 


0.9988 


(Pf  )tg-i  =  1.0  -  0.9988  =  0.0012 

(Pf  )tg-i  *  Wtg-i  =  0.0012  *  1  *  10-6  =  1.2  *10'9 

Similarly,  failure  probability  values  can  be  calculated  for  the  remainder  of  the 
components  shown  in  Figure  8  to  obtain  the  overall  probability  of  electrical 
breakdown  ( Peb ).  Using  the  steps  outlined  above  and  multiplication  through  the 
fault  tree,  the  Peb  is  calculated  as  2*10‘7.  These  calculations  are  further  detailed 
in  Chapter  4.  This  failure  probability  value  for  the  electrical  system  can  then  be 
used  in  the  fault  tree  with  the  other  probabilities  of  subsystem  failure 
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4  Applications  of  Criticality  Methods  for  Dam 
Gates 

The  main  purpose  of  the  criticality  analysis  is  to  rank  every  possible  failure 
mode  for  a  particular  hardware  component  identified  in  a  Failure  Modes  and  Ef¬ 
fects  Analysis  (FMEA).  The  primary  advantage  of  using  criticality  analysis  is 
that  it  provides  a  common  basis  and  consistent  method  for  comparing  various 
failure  modes  of  a  hardware  component.  Criticality  is  a  procedure  that  uses  each 
potential  failure  mode  of  a  component  in  combination  with  the  influence  of  both 
severity  and  the  probability  of  occurrence.  While  the  failure  rate  of  a  hardware 
component  usually  is  the  same  for  all  the  failure  modes,  the  associated  factors  of 
severity  and  failure  mode  probability  used  in  calculating  the  criticality  index  will 
be  different  for  each  failure  mode  and  allow  a  distinction  between  critical  and 
non-critical  modes. 

These  methods  have  been  advocated  mainly  in  the  Military  Standard  (MIL- 
STD)-1629A,  “Procedures  for  Performing  a  Failure  Mode,  Effects  and  Criticality 
Analysis”  (1980).  The  methods  also  have  been  used  and  adopted  by  many  engi¬ 
neering  firms  for  the  design  of  interdisciplinary  engineering  systems.  One  such 
example  is  found  in  the  aerospace  industry,  where  the  procedures  have  been  im¬ 
plemented  both  by  Boeing  and  Lockheed-Martin  in  the  design  of  complex  aero¬ 
space  systems  such  as  the  NASA  (National  Aeronautics  and  Space  Administra¬ 
tion)  space  shuttles.  Because  the  criticality  index  is  so  flexible  and  broad,  its 
applicability  to  infrastructure  components  such  as  flood  control  and  reservoir 
dams  make  it  a  desirable  method  to  incorporate  into  risk  analysis. 


4.1  Criticality  Index  for  Comparison  of  Gate  Subsystems  and  Fault  Trees 
4. 1. 1  Explanation  of  Use 

The  criticality  index  as  defined  by  Equation  1  (page  13)  requires  the  knowledge 
of  parameters  that  may  not  be  readily  available  from  either  manufacturer  re¬ 
cords,  test  data,  or  reliability  textbooks.  In  addition,  it  is  to  be  noted  that  Ck  in 

Equation  1  is  different  for  each  failure  mode,  k,  that  uses  the  same  failure  rate 
A ,  common  to  all  failure  modes.  The  criticality  index  of  the  hardware  compo- 
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nent  can  then  be  obtained  by  summing  the  Ck  values  for  all  applicable  k,  where 
Ck  is  obtained  from  Equation  1.  The  following  paragraphs  summarize  how  to 
determine  the  criticality  index  parameters  from  Equation  1. 

The  failure  rate,  A ,  can  be  determined  using  either  failure  rate  data  from  the 
history  of  existing  or  similar  gate  components  or  the  appendices  found  in  MIL- 
STD-1629A  or  other  MIL-STD  documents.  These  parameters  are  important  to 
define  correctly  and  should  be  researched  as  carefully  as  possible.  If  there  is  any 
uncertainty  in  the  rates,  a  sensitivity  analysis  should  be  conducted  to  ensure 
that  the  final  criticality  index  values  do  not  vary  by  an  order  of  magnitude.  If 
values  do  vary  by  an  order  of  magnitude,  then  further  analysis  and  investigation 
will  be  required  to  develop  a  more  accurate  failure  rate  for  that  component. 

The  component  failure  rate,  A ,  can  be  determined  from  the  mean  time  between 
failures  (MTBF)  of  gate  components  (assuming  similarity  in  operating  environ¬ 
ments,  cycles,  age,  etc.)  from: 

A  = -  (Equation  3) 

MTBF 

If  there  are  no  reported  failures  of  the  components  or  no  similar  components, 
then  A  can  be  estimated  using  the  following  relationship  (Lock  1995): 

x2 

A  =  —  (Equation  4) 

2 1 

This  equation  is  based  on  the  assumption  that  the  probability  that  no  more  than 
t  time  is  required  for  nth  failure  to  appear  can  be  obtained  from  finding  what  per¬ 
centage  point  2  X  t  is  of  the  chi-square  distribution  with  2n  degrees  of  freedom. 
For  n=l,  the  corresponding  chi-square  has  two  degrees  of  freedom.  In  other 
words,  chi-square  distribution  for  two  degrees  of  freedom  is  the  exponential  dis¬ 
tribution  with  failure  rate  of  X  given  by  Equation  4  above.  Then  for  a  given  prob¬ 
lem,  if  the  total  operating  hours  of  a  component  are  known  with  no  failure,  then 
a  predicted  failure  rate  A  can  be  obtained  from  Equation  4.  The  x2  value  can  be 
obtained  for  two  degrees  of  freedom  and  a  required  confidence  level  from  the  chi- 
square  tables  found  in  statistical  textbooks.  For  example,  with  two  degrees  of 
freedom  and  using  a  50%  confidence  level  to  maintain  the  exponential  distribu¬ 
tion  for  the  failure  rate,  the  value  for  x2  would  be  1.386  (Walpole  and  Myers 
1993). 
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The  determination  of  a ,  the  probability  of  occurrence  of  the  failure  mode,  would 
be  most  desirable  to  obtain  from  the  engineers  working  at  the  actual  dam  site 
since  they  would  be  most  familiar  with  the  different  failure  modes  for  the  failure 
modes  and  the  approximate  percentages  that  they  occur.  This  information  may 
also  be  contained  in  maintenance  record  books  or  purchase  requests  for  the  dam 
site.  This  would  also  be  a  parameter  for  which  it  is  necessary  to  assess  sensitiv¬ 
ity  to  ensure  that  a  questionable  input  value  does  not  dominate  the  criticality 
index  calculations.  Also,  it  is  important  to  remember  that  the  sum  of  the  a’s 
must  equal  1.  Again,  in  certain  industries  such  as  aerospace,  this  information  is 
available  for  electrical  components  from  Failure  Mode / Mechanism  Distributions 
(RAC  1991). 

The  determination  of  /? ,  the  probability  of  occurrence  of  the  failure  effect  once 
the  mode  has  been  identified,  is  related  to  the  failure  mode  of  a  hardware  com¬ 
ponent  and  indicates  whether  the  failure  mode  will  result  in  actual  loss  (i.e., 
/?=1.0),  no  effect  or  loss  (i.e.,  [5  =0.0),  or  some  possible  effect  or  loss  (i.e.,  [5  be¬ 
tween  0.001  to  0.999).  This  value  would  be  best  obtained  from  engineers  who  are 
familiar  with  the  dam  site  and  understand  the  components  and  their  effects  on 
the  overall  dam  gate  system. 

A  detailed  example  of  the  calculations  for  the  electrical  subsystem  presented  in 
Chapter  3  is  presented  below. 

4. 1.2  Example  of  Calculation  for  Electrical  Subsystem  of  Dam  Gates 

The  values  for  the  criticality  and  appropriate  weights  (Wi)  are  shown  in  Table  7 
for  various  components  as  related  to  the  electrical  subsystem.  The  following  ex¬ 
ample  uses  values  from  Table  6  (in  Chapter  3)  and  Table  7  to  calculate  the  criti¬ 
cality  index.  The  following  steps  highlight  the  process: 

Step  1:  Criticality  index  of  turbine  generator  1  ( Ctg-i ) 

The  failure  modes  for  the  hardware  component  turbine  generator  from  Figure  9 
are  given  in  Table  7  along  with  values  for  A  ,  a ,  J3 ,  and  t  taken  from  MIL- STD - 

1926A. 

Step  2:  Criticality  index  of  turbine  generator  2  (Ctg-2) 

Assuming  that  the  turbine  generator  2  has  the  same  criticality  index  as  turbine 
generator  1, 
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C tg—2  =  Ctg-i  =  468*10  6 
Step  3:  Criticality  index  for  turbine  generators  ( CTG ) 

This  value  can  be  obtained  using  the  information  indicated  for  each  of  the  asso¬ 
ciated  components  in  Table  7  as, 

Ctg  =  0.5*  Ctg-i  +  0.5  *  Ctg-2-  468*  10  6 

If  these  turbine  components  were  totally  independent  then  the  criticality  index 
would  have  been  936  x  10'6. 

Step  4:  Criticality  index  of  transmission  lines  ( Ctl ) 

The  criticality  index  of  transmission  lines  can  be  calculated  for  values  of 
A  =0.2*  10‘6,  a  =1.0,  P  =1.0,  t=1000  hours  using  Equation  1.  The  criticality  be¬ 
comes: 

Ctl  =  200xl0-6 

Step  5:  Criticality  index  of  utility  substation  equipment  ( Cuse ) 

This  value  can  be  calculated  using  the  parameters  of  A  =  0.3  *10  6,  a  =  1.0,  f3  - 
1.0,  t  =  1000  hours  using  Equation  1.  The  criticality  becomes: 

Cuse  =  300xl0'6 

Step  6:  Criticality  index  of  commercial  transmission  system  ( Cts ) 

The  rollup  of  the  values  for  the  transmission  system  can  be  calculated  using  the 
values  in  Table  7  for  each  of  the  associated  components,  and  the  criticality  of  the 
system  becomes: 

Cts  =  0.6  *  200  *  10'6  +  0.4  *  300  *  106  =  120  *  106  +  120  *  10'6  =  240  *  106 
Step  7:  Criticality  index  of  power  sources  ( Cps-i ) 

The  rollup  of  the  values  for  the  power  sources  can  be  calculated  using  the  values 
in  Table  7  for  each  of  the  associated  components,  and  the  criticality  of  the  system 
becomes: 


Cps-1  =  0.6  *  468  *  10-6  +  0.4  *  240  *  106  =  280.8  *  106  +  96  *  106  =  376  *  10'6 
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Step  8:  Criticality  index  of  emergency  power  (Cep) 

This  value  can  be  calculated  using  the  parameters  of  A  =  0.4*  10  6,  a  =  1.0,  J3  = 
1.0,  t  =  1000  hours  using  Equation  1.  The  criticality  becomes: 


Cep  =  400  *  106 


Step  9:  Criticality  index  of  failure  of  power  source  ( Cfps ) 

The  rollup  of  the  values  for  the  power  sources  can  be  calculated  using  the  values 
in  Table  7  for  each  of  the  associated  components,  and  the  criticality  of  the  system 
becomes: 

Cfps  =  0.8  *  376  *  106  +  0.2  *  400  *  106  =  300.8  *  106  +  80  *  106  =  380  *  106 
Step  10:  Criticality  index  of  control  circuit  failure  (Cccf) 

This  value  can  be  calculated  as  in  step  1  from  the  assumed  values  of_A  =  0.2  *  10‘ 
6,  a  =  1.0,  P  =  1.0,  t  =  1000  hours  as 


Cccf  =200  *  106 


Step  11:  Criticality  index  of  motor  failure  ( Cmf ) 

This  value  can  be  calculated  as  in  Step  1  from  the  assumed  values  of '_X  =  0.1  *  10‘ 
6,  a  =  1.0,  P  =  1.0,  t  =  1000  hours  as 


Cmf=  100  *10'6 


Step  12:  Criticality  index  of  the  failure  mode  of  electrical  subsystem  ( Ceb ) 

Finally,  the  rollup  of  all  the  values  for  the  electrical  subsystem  can  be  calculated 
using  the  fault  tree  shown  in  Figure  9  for  each  of  the  associated  components. 
The  criticality  of  the  system  becomes: 

Ceb  =  0.7  *  380  *  10'6  +  0.2  *  200  *  106  +  0. 1  *  100  *  106 

=  266*  10-6  +  40*  10-6  +  10*  10-6 


=  316*  10-6 
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A  criticality  index  for  other  fault  branches  as  shown  in  Figure  3  and  Figure  5  for 
the  structural  breakdown  ( Csb )  and  mechanical  breakdown  ( Cmb )  can  be  calcu¬ 
lated  using  similar  criticality  index  methods.  After  all  the  fault  tree  branches 
are  complete,  the  criticality  index  for  entire  gate,  i.e.,  Cgate,  can  be  rolled  up  and 
calculated.  This  methodology  can  be  extended  further  to  encompass  all  the  criti¬ 
cality  indices  for  the  failure  modes  shown  in  Figure  1  to  include  such  items  as 
obstructions  (Cob)  and  broken  linkages  ( Cbl ).  Finally,  the  criticality  index  of  the 
top  event,  i.e.,  failure  of  dam  spillway  systems  (C failure-dam- spillway),  can  be  cal¬ 
culated.  Because  the  criticality  indices  of  all  types  of  events,  including  basic,  in¬ 
termediate,  and  top,  are  available,  a  comparison  can  be  made  as  to  the  relative 
performance  of  various  components  of  the  system  (e.g.,  Cfaulty-gates  versus 
C inadequate-spillway-capacity)  . 


4.2  Failure  Probability  Method  for  Comparison  of  Gate  Subsystems  and 
Fault  Trees 

4. 2. 1  Explanation  of  Use 

The  method  developed  to  incorporate  both  the  probabilities  and  redundancies  of 
the  gate  system  is  defined  in  the  following  steps: 

1.  Classify  criticality  of  all  failure  modes  associated  with  the  main  event  (such 
as  gate  failed  to  open/close)  as  1/1,  1R2,  etc.,  using  the  methodology  described 
previously  for  all  the  initiating  events  as  illustrated  in  Figure  2  —  Figure  6  for 
the  case  of  gate  failure. 

2.  Calculate  the  probability  of  failure  for  each  mode  from  the  fault  tree  diagrams 
in  Figure  2  -  Figure  6,  starting  from  the  bottom-most  basic  event.  This  calcu¬ 
lation  would  be  done  using  the  AND/OR  logic  gates  as  shown  and  appropriate 
fault  tree  mathematics  that  follow  the  gates  in  the  fault  tree  diagrams. 

3.  Calculate  the  probability  of  failure  of  the  top  event,  such  as  the  failure  of  the 
gate  to  open  or  close,  using  the  following  equation  for  the  case  of  an  OR  logic 
gate: 


P\MainF ailureMode ]  =  'LWiPfl 


(Equation  5) 


where 


Wi  =  Weight  factor  assigned  to  the  subsystem  (such  as  mechanical 
breakdown)  of  the  failure  mode  (Table  5) 
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Pfi  =  Probability  of  failure  of  the  subsystem  (such  as  mechanical 
breakdown)  of  the  failure  mode 

If  the  top  event  and  the  associated  events  are  connected  through  the  AND  gate 
then,  the  summation  (X)  sign  in  Equation  5  is  replaced  with  the  product  (PD  sign. 

4.2.2  Example  of  Calculation  for  Electrical  Subsystem 

The  critical  ranking  of  various  failure  modes  for  the  electrical  subsystem  is 
shown  in  Figure  9.  The  exponential  distribution,  which  is  commonly  used  to  de¬ 
fine  the  reliability  of  electrical  and  mechanical  equipment,  is  used  to  calculate 
the  probability  of  failures  in  this  example.  The  following  steps  highlight  the 
probability  of  failure  process: 

Step  1:  Probability  of  failure  of  turbine  generator  1  (TG-1) 


The  failure  modes  of  a  turbine  generator  from  Table  1  are  bearing  failure,  stator 
failure,  and  governor  failure.  These  generators  have  been  classified  as  2R4.  The 
criticality  weight,  Wtg-i  from  Table  7  is  1  *  lO6.  The  failure  rate  X  is  from  the 
previous  examples  as  1.2  *  10‘6.  The  reliability  of  the  turbine  generators  is: 


-At  — 1.2*1<T6*1000 

=>  —6  =6 


0.9988 


The  probability  of  failure  for  the  generators  is  the  converse  of  the  reliability,  or 

Pf=  1-R: 


(Pf  )tg-i  =  1.0  -  0.9988  =  0.0012 
Step  2:  Probability  of  failure  of  turbine  generator  2  (TG-2) 

Assume  the  failure  probability  of  turbine  generator  2  ((P/)tg-2)  is  the  same  as  TG- 

1. 

=>  (Pf)  jg- 2  =-0012 

The  criticality  weight,  Wtg-2,  is  1  *  10'6from  Table  7,  as  the  failure  modes  of  a  tur¬ 
bine  generator  are  classified  as  2R4. 


Step  3:  Probability  of  failure  of  turbine  generator  (TG) 
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Probability  of  turbine  generator  failure  can  be  calculated  from  the  following  ex¬ 
pression  (using  AND  gate  in  Figure  9  and  corresponding  weight  values  in  Table 
7): 


(Pf^TG  (Pf^TG-2  *  ^TG-2  *  (^/)rG- 2  *  ^TG-2 

=  (0.0012)  *  (1  *  lO  6)  *  (0.0012)  *  (1  *  10-6) 

=  1.44*  1018 

This  value  for  the  generators  indicates  that  the  redundancy  of  the  generator  sys¬ 
tem  makes  the  probability  of  failure  very  low.  This  result  should  be  expected  for 
highly  redundant  components. 

Step  4:  Probability  of  failure  of  transmission  lines  (TL) 

For  transmission  lines  (TL),  using  a  literature  value  of  A  =  0.2  *  10‘6  and  Wtl= 
1*10-6, 


-At  — 0.2*1(T6*1000 

TL=e  =l-e  =1-0.9998  =  0.0002 

Step  5:  Probability  of  failure  of  utility  substation  equipment  (USE) 

For  utility  substation  equipment  using  the  value  of  A,  =  0.3  *  106,  Wuse  =  0.001, 


-At  — .3*1(T6*1000 

C Pf)lJSE  ~  1  ~  e  — 1  —  ^ 


1-0.99970 


=  0.00030 


Step  6:  Probability  of  failure  of  commercial  transmission  system  (CTS) 

For  commercial  transmission  system  using  an  AND  gate  as  shown  in  Figure  9, 
(Pf)cTs  =  (pf)n  *  WTL(Pf)usE  *  WUSE  =(0.0002)  *  (1  *  10-6)(0.00030)  *  0.001  =6*10' 

17 

Step  7:  Probability  of  failure  of  power  source  l(PS-l) 

For  power  source  1  (PS-1),  using  AND  gate  (Figure  9),  Wtg  as  0.001,  and  Wcts  as 
0.002,  the  corresponding  probability  of  failure  can  be  calculated  as: 
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(Pf)pS- 1  (^/)rG  *  ^TG  *  (Pf)cTS  *  ^CTS 

=  (1.44  *  1018)  *(.001)(6  *  10~17)  *  (.001) 


=  8.64  *10-41 

Step  8:  Probability  of  failure  of  emergency  power  (EP) 

For  emergency  power  the  failure  rate  has  a  value  of  A  =  .4*10~6  and  Wep  =  0.01, 
the  Pf  can  be  calculated  as: 


-At  — .4*1  cr6  *1000 

(Pf)  =  l-e  =l-e 


4*104 


Step  9:  Probability  of  failure  of  power  source  (FPS) 

For  failure  of  power  source  using  an  AND  gate  with  Wps-2=  0.001  and  Wep=  0.01, 

(Pf)FPS  -  (Pf)ps-i  *  Wps-i  *  (P f )ep  *  Wep 
=  (8.64*10-4!)  *  (0.001)(4*10-4)  *  (0.01) 


=  34.56*  10-50 

Step  10:  Probability  of  control  circuit  failure  (CCF) 

For  control  circuit  failure  for  the  value  of  X  =  0.2  *  10-6  and  the  value  for  Wccf 

0.001, 


-At  — .2*1(T6*1000 

(Pf)ccF  =  l-e  =l  —  e  =.0002 


Step  11:  Probability  of  motor  failure  (MF) 


For  motor  failure  the  value  for  A  =  .  1*10  6)  and  the  value  for  WMF  =1*10 


-6 


-At 


(Pf)MF  =  l-e  =1~e 


.1*10^*1000 


1  -  0.9999  =  0.0001 


Step  12:  Probability  of  failure  of  electrical  breakdown  (EB) 
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For  electrical  breakdown  using  OR  gate  with  Wfps=  0.001,  Wccf=  0.001,  Wmf- 
1*10-6, 

(Pf)EB  =  (Pf)FPS  *  WfPS  +  (P)cCF  *  WcCF  +  ( Pf)MF  *  WmF 

=  (34.56  *  10-50)  *  0.001  +  (0.0002)  *  0.001  +  0.0001  *  (1  *  1R6) 

=  0.03  *  1R50  +  2  *  1R7  +  1  *  1R10 

=  2  *  10"7 

This  value  is  very  close  in  magnitude  to  others  found  in  the  literature.  Simi¬ 
larly,  the  Pf  for  other  failure  modes  shown  in  Figure  2,  such  as  for  structural 
breakdown  ( Pf)sB ,  can  be  calculated  using  these  probability  of  failure  values: 
( Pf)GATE  can  be  calculated  by  adding  failure  probabilities  for  other  failure  modes 
shown  in  Figure  2,  such  as  obstructions  ((P/)oa)  and  broken  linkages  ((P ()bl). 

Finally,  the  probability  of  failure  of  the  top  event  (failure  of  dam  spillway)  can  be 
calculated.  Because  the  failure  probabilities  for  all  basic,  intermediate,  and  top 
events  are  available,  a  comparison  of  probabilities  can  easily  be  made  to  deter¬ 
mine  the  relative  importance  of  various  components  of  the  system,  ( Pf)Fauity-Gates 
and  (P f) inadequate-spillway-capacity.  The  results  can  then  be  used  to  tangibly  sup¬ 
port  maintenance  and  repair  funding  requests. 
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5  Spillways  and  Dam  Gate  Risks 


The  risk  assessment  method  discussed  in  this  chapter  provides  a  prioritization 
ranking  procedure  that  accounts  for  both  time  and  event  dependencies.  The  pro¬ 
cedure  also  determines  a  quantitative  value  for  risk  that  can  be  compared  at  the 
component,  project,  or  system- wide  portfolio  level.  This  risk  assessment  method 
is  adaptable  to  the  level  of  inputs  but  provides  a  consistent  methodology  for  the 
prioritization  and  reduction  of  risk  based  on  both  component  and  dam.  There¬ 
fore  this  procedure  is  flexible  enough  to  be  used  for  both  pre-screening  levels  and 
more  complex,  detailed  dam  safety  investigations. 

The  method  has  been  adapted  from  a  literature  search  and  a  summary  of  risk 
assessment  methods  by  Putcha  and  Patev  (2000).  Putcha  and  Patev  summarize 
various  risk  assessment  procedures  available  in  the  literature  that  could  be  used 
to  best  analyze  the  risk  assessment  for  dam  gates.  Putcha  and  Patev  recom¬ 
mend  using  an  adapted  Lafitte  method  in  combination  with  failure  modes  and 
effects  criticality  analysis  to  address  the  risk  for  spillway  gates  based  on  the  lev¬ 
els  for  structural,  geotechnical,  mechanical,  and  electrical  components. 

Lafitte  (1993)  utilized  the  risk  method  defined  by  Bury  and  Guenter  (1984)  in 
which  risk  was  defined  as: 

R  =  P  xDa  (Equation  6) 

where  R  is  the  risk  measured  as  the  extent  of  danger 

P  is  the  probabality  of  occurrence  of  the  undesirable  event 
D  is  the  probable  extent  of  the  damage 
a  is  the  risk  consequence  factor 

(Note:  The  value  for  a  is  typically  taken  as  1  and  can  range  between  1  to  2) 

From  the  expression  above,  the  probabilities  defined  using  the  either  method  de¬ 
scribed  in  Chapter  4  can  be  combined  with  a  set  of  consequences  to  determine 
the  risks  associated  with  the  gate  failing  in  the  open  or  closed  position.  This  fac¬ 
tor  relates  to  spillway  risk  as  one  of  the  top  spillway  events  as  defined  in  Putcha 
and  Patev  (2000).  If,  for  example,  the  probability  of  a  gate  to  fail  opened  or 
closed  was  lxlO  2  and  the  damages  from  the  event  were  1  x  106  dollars,  then  the 
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overall  risk  to  the  spillway  system  from  the  dam  gates  would  be  $100,000  (as¬ 
suming  an  a  =  1).  A  a  greater  than  1  would  indicate  an  aversion  to  catastrophic 
losses  greater  than  the  probabilistic  calculation  of  monetary  damage. 

A  detailed  literature  review  was  conducted  as  part  of  this  research  project  to  see 
if  it  is  possible  to  arrive  at  a  suitable  range  of  values  for  the  risk  consequence 
factor,  a,  for  dam  gates  in  Equation  6.  No  literature  pertaining  to  that  risk  fac¬ 
tor  was  found,  but  a  nonlinear  relationship  could  be  determined  based  on  the 
probabilities  of  failure  for  dam  components  as  defined  later  in  this  chapter.  In 
addition,  if  data  were  available  on  the  probabilities  and  costs  of  existing  dam 
gate  failures,  then  one  way  to  obtain  a  would  be  to  take  the  logarithm  of  both 
sides  of  Equation  6  as  follows: 

log  R  =  log  P  +  a  log  D  (Equation  7) 

That  operation  transforms  Equation  6  into  a  linear  form,  and  the  a  can  then  be 
estimated  using  a  regression  analysis.  For  various  components  of  a  dam,  it  may 
be  possible  to  estimate  this  value  knowing  the  risks  of  dam  failure  and  the  an¬ 
ticipated  damages  from  a  gate  failure. 

Lafitte  used  this  equation  for  risk  in  the  application  to  address  safety  issues  re¬ 
lated  to  the  overtopping  of  dams.  Lafitte’s  equation  has  been  further  developed 
in  this  report  to  assist  with  the  development  of  the  relative  risks  for  different 
components  (i.e.,  structural,  geotechnical,  mechanical,  and  electrical)  of  a  dam 
gate  system  to  assist  with  dam  portfolio  risk  assessment  and  risk  prioritization 
and  reduction.  Equation  6  above  can  be  redefined  to  account  for  the  risk  of  a 
single  component  based  on  pools,  probabilities  of  failure,  and  the  extent  of  dam¬ 
ages.  This  equation  then  becomes  modified  as: 


R  =  a  P[F[D“'  (Equation  8) 

i 

where  R  is  the  total  relative  risk  for  a  dam  component  over  a  range  of  pools 
P;  is  the  probabality  of  the  pool  event  from  i  to  event  n 
Fj  is  the  probabality  of  failure  of  the  component  at  pool  event,  i 
Dj  is  the  extent  of  damages  from  the  pool  and  component  failure  during  pool  event,  i 
a  .  is  the  risk  consequence  factor  that  relates  to  the  probability  of  failure  during  event,  i 

The  inputs  for  this  equation  use  data  that  is  usually  available  for  most  projects 
such  as  the  stage  frequency  curves  (pool  elevation  versus  probability)  and  dam- 
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age  frequency  curves  from  DAMBREAK  calculations.  The  probability  of  failure 
for  each  component  can  be  determined  based  on  the  level  of  risk  assessment  that 
is  being  performed.  For  pre-screening  portfolio  assessment  levels,  the  use  of  ex- 
pert-opinion  elicitation  or  simple  reliability  modeling  would  be  sufficient  to  esti¬ 
mate  the  probability  of  failure  for  most  dam  components.  For  more  detailed 
portfolio  assessment  levels,  the  results  from  either  engineering  reliability  models 
at  a  level  similar  to  models  for  major  rehabilitation  or  fragility  analysis  models 
or  response  surface  reliability  models  (nonlinear  response  under  various  load 
conditions  than  designed)  can  be  utilized.  In  addition  the  use  of  fault  trees,  fail¬ 
ure  modes  effects  and  criticality  analysis  can  also  be  tied  in  at  any  level  of  as¬ 
sessment  as  well. 

A  hypothetical  example  is  shown  in  Table  8  below  to  estimate  gate  and  founda¬ 
tion  risk  using  the  above  equation  for  a  spillway  system.  Table  8  shows  the  rela¬ 
tive  effect  of  using  both  a  risk  consequence  factor  of  1  and  a  nonlinear  value  for 
the  risk  consequence  factor*  a.  This  value  is  based  on  the  nonlinear  relationship 
between  the  factor  and  the  probability  of  failure  as  defined  in  Figure  10.  Based 
on  this  nonlinear  relationship,  the  relative  risk  contribution  for  the  gates  is  ap¬ 
proximately  1.1  x  1014  while  the  risk  for  the  foundation  is  2.1  x  1015. 


Table  8.  Hypothetical  example  of  risk  from  gate  or  foundation  failure  for  a  spillway  system. 

Gates  Failure  Alpha  =  1 

Pool  P  (pool!  Pf  ®  pool  Damages  ®  pool  R=Pp*Pf*DAAlpha  R=Pf‘DAAlpha  New  Alpha  R=Pp*Pf*DANew  Alpha 
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0.01 
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0.2 

0.1 
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20 

0.1 
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0.01 

0.5 
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30 
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0.9 

3000000 
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2700000.00 
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7.68051  E+1 2 
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5000000 
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R  =  1.13395E+14 


Foundation  Failure  Alpha  =  1 

Pool  P  (pool)  Pf  @  pool  Damages  @  pool  R=Pp*Pf*DAAlpha  R=Pf*DAAlpha  New  Alpha  R=Pp*Pf*DANew  Alpha 


5 

0.99 

0.00001 

200000 

1.98 

2.00 

1.00001 

1.980241696 

10 

0.5 

0.001 

500000 

250.00 

500.00 

1.0010005 

253.3038724 

15 

0.2 

0.01 

700000 

1400.00 

7000.00 

1.010050167 

1602.773848 

20 

0.1 

0.1 

2000000 

20000.00 

200000.00 

1.105170918 

91984.59597 

25 

0.01 

0.5 

4000000 

20000.00 

2000000.00 

1.648721271 

383642526.6 

30 

0.001 

0.9 

7000000 

6300.00 

6300000.00 

2.459603111 

6.17258E+13 

35 

0.0001 

0.99 

15000000 

1485.00 

14850000.00 

2.691234472 

2.0332E+15 

49436.98 


R= 
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Probability  of  Failure 


Figure  10.  Nonlinear  relationship  between  risk  consequence  factor  and  probability  of  failure. 

The  time-dependency  aspects  of  the  components  or  the  hazard  rates  also  can  be 
used  in  a  similar  analysis.  The  component  reliability  could  be  either  time-  or 
event-dependent  if  the  component  degrades  or  is  subject  to  another  event  that  is 
not  hydraulically  related.  Equation  8  can  be  modified  to  address  dam  risk  by 
incorporating  the  time  aspects  of  the  probabilities  of  failure  for  various  dam 
components  as  follows: 

t  n 

R(t)  =  a  a  £'E(7)D“i  (t)  Equation  9 

0  i 

where  R  (t)  is  the  total  relative  risk  over  time  for  a  dam  component  over  a  range  of  pools 
Pj  is  the  probabality  of  the  pool  event  from  i  to  event  n 

F;  (t)  is  the  time-dependent  probabality  of  failure  of  the  component  at  pool  event,  i 
D  (t)  is  the  time -dependent  extent  of  damages  from  the  pool  and  component  failure  during  pool  event,  i 
a  f  is  the  risk  consequence  factor  that  relates  to  the  probability  of  failure  during  event,  i 

A  hypothetical  example  for  the  relative  risks  associated  with  a  gate  system  con¬ 
sisting  of  structural,  mechanical,  and  electrical  components  is  shown  in  Figure  2 
(Chapter  2).  These  relative  risk  values  are  calculated  using  the  nonlinear  value 
for  the  risk  consequence  factor,  a,  defined  in  Figure  10.  The  baseline  condition  is 
the  time-dependent  relative  risk  without  rehabilitation  of  any  components  at  the 
spillway  project,  as  shown  in  Figure  11.  Risk-reduction  measures  or  alternatives 
can  also  be  determined  very  easily  using  this  method.  The  alternative  risk  solu¬ 
tions  are  presented  for  (1)  the  rehabilitation  of  all  the  components  at  a  25-year 
cycle  and  (2)  the  rehabilitation  of  the  mechanical  equipment  at  15 -year  cycle  and 
the  structural  components  at  30-year  cycle.  These  risk  curves  are  shown  in 
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Figure  12  and  Figure  13,  respectively,  and  the  overall  graph  of  the  alternatives 
is  shown  in  Figure  14. 


Figure  11.  Baseline  condition  -  no  rehabilitation. 


Risk  Reduction  -  Rehab  Components  at  25  years 


- Structural 

- Mechanical 

- Electrical 

- -Total  Risk 


Figure  12.  Alternative  1  -  rehabilitation  of  all  components  in  Year  25. 
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Figure  13.  Alternative  2  -  rehabilitation  of  mechanical  and  electrical  components  in  Year  15  and 

structural  components  in  Year  30. 


Risk  Reduction  -  T otal  Risks 


- Base  Condition 

. Rehab  at  25  Years 

— - Rehabs  at  10  years  for  M/E,  30 

Years  Structural 


Figure  14.  Summary  of  risk-reduction  measures  for  spillway  system. 


The  use  of  this  time-dependent  procedure  for  risk  calculations  will  permit  the 
development  of  hazard  functions  for  risk  that  can  be  used  in  the  economic  calcu¬ 
lations  of  benefit/cost  ratio.  The  damages  associated  with  the  risks  could  include 
downstream  flood  damage  costs,  dam  repair  costs,  emergency  action  costs,  envi¬ 
ronmental  costs,  security  costs,  and  potential  loss  of  life.  An  optimized  solution 
can  be  determined  that  coordinates  current  and  future  budgets  with  available 
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funding  and  the  priorities  of  the  structures  while  also  conforming  to  Office  of 
Management  and  Budget  requirements  for  using  benefit/cost  ratio  in  funding 
proposals  (much  as  it  is  done  in  the  major  rehabilitation  process).  Another  ad¬ 
vantage  of  this  method  is  it  presents  an  equal  priority  ranking  of  all  dam  compo¬ 
nents  over  time,  including  structural,  geotechnical,  mechanical,  and  electrical,  as 
well  as  incorporating  site  hydrology  information  and  vulnerability  risks. 
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6  Conclusions 


Two  different  criticality  methodologies  have  been  presented  to  assist  with  the 
risk  analysis  of  dam  gates.  These  methods  can  be  very  useful  for  practicing  en¬ 
gineers.  They  assist  with  defining  the  fault  trees  associated  with  dam  gates  and 
risk  identified  for  dam  gates.  Detailed  fault  trees  are  also  presented  for  the  case 
of  dam  spillway  system  failure  in  general  and  gate  failure  in  particular.  These 
fault  trees  were  developed  on  the  basis  of  technical  consultations  with  Corps  en¬ 
gineering,  operations,  and  dam  safety  personnel. 

The  first  method  presented  is  based  on  the  concept  of  criticality  index  and  failure 
modes  and  effects  analysis  (FMEA).  This  method  is  considered  a  valuable  tool 
for  prescreening  of  gate  subsystems  because  it  accounts  for  all  component  failure 
modes  and  incorporates  the  critical  nature  for  each  failure  mode.  This  method 
may  also  be  used  to  provide  a  relative  ranking  of  the  subsystems  of  dam  gates, 
which  can  be  used  to  make  important  economic  decisions  such  as  rehabilitation 
versus  modification  of  dam  gates. 

The  second  method  proposes  the  ranking  of  failure  modes  based  on  a  mission 
criticality  to  determine  the  probability  of  failure  for  a  gate  system  or  subsystem. 
This  method  is  well  suited  to  assist  with  making  economic  decisions  if  there  is 
ever  a  need  to  rehabilitate  the  dam  gates.  Proposed  future  work  would  include  a 
direct  application  of  the  methods  to  an  existing  dam  gate  system.  Such  a  dem¬ 
onstration  would  promote  additional  enhancements  to  the  procedures  developed 
here. 

The  method  of  Lafitte  (1993)  is  proposed  as  a  potential  method  for  overall  risk 
assessment  of  spillways  because  of  its  compatibility  with  fault  tree  analysis  to 
obtain  the  failure  probability.  The  Lafitte  method  also  provides  another  advan¬ 
tage:  it  includes  a  simple  relation  for  using  probability  of  failure  values  in  its 
risk  calculation.  Additional  research  is  recommended  to  better  determine  the 
risk  consequence  factor,  a,  used  in  the  Lafitte  equation  for  calculating  overall 
risk. 
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conjunction  with  subsystem  importance-ranking  factors  to  estimate  overall  gate  system  failure  probability.  Both  methods  can  be  linked 
qualitatively  with  the  Lafitte  risk  method  through  event  costs  and  consequences  to  determine  the  overall  risk  for  a  dam  spillway  sys¬ 
tem. 

Enhancement  of  the  two  demonstrated  methods  would  require  a  direct  application  of  the  methods  to  an  existing  dam  gate  system. 

Also,  additional  research  would  be  necessary  to  better  determine  the  risk  consequence  factor,  a,  used  in  the  Lafitte  equation  for 
calculating  overall  risk. 
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